Add FAQ 61 about matchsize 116 != 308; fix reference in the packet marking article

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4623 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-04 14:44:12 +00:00
parent 6b8b90a984
commit deadffcee3
2 changed files with 23 additions and 1 deletions

View File

@ -1631,6 +1631,28 @@ iptables: Invalid argument
<filename>/etc/shorewall/modules </filename>and modify the copy to <filename>/etc/shorewall/modules </filename>and modify the copy to
include only the modules that you need.</para> include only the modules that you need.</para>
</section> </section>
<section id="faq61">
<title>(FAQ 61) I just installed the latest Debian kernel and now
"shorewall start" fails with the message "ipt_policy: matchsize 116 !=
308". What's wrong?</title>
<para>Answer: Your iptables is incompatible with your kernel. Either
</para>
<itemizedlist>
<listitem>
<para>rebuild iptables using the kernel headers that match your new
kernel; or</para>
</listitem>
<listitem>
<para>if you don't need policy match support (you are not using the
IPSEC implementation built into the 2.6 kernel) then you can rename
<filename>/lib/iptables/libipt_policy.so</filename>.</para>
</listitem>
</itemizedlist>
</section>
</section> </section>
<section> <section>

View File

@ -339,7 +339,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - !0 #R
<listitem> <listitem>
<para>Remember that even though 'ping' packets were marked in one of <para>Remember that even though 'ping' packets were marked in one of
the first two rules, they are still passed on to rule 3 (note that the first two rules, they are still passed on to rule 5 (note that
packets marked by rules 3 and 4 are not processed by this rule since packets marked by rules 3 and 4 are not processed by this rule since
it is in a different program). That rule moves the connection mark to it is in a different program). That rule moves the connection mark to
the packet mark, <emphasis>if the packet mark is still zero</emphasis> the packet mark, <emphasis>if the packet mark is still zero</emphasis>